Disaster Recovery Scenario Question

Hi. I have the following convoluted setup on Windows Server 2019:

  1. Clients Windows Server backup backs up 2 servers to my backup drive
    B:\WindowsServerBackup{servername} (B: for 50 TB RAID backup not the 1.44MB old school :floppy_disk:)

  2. These get compressed to two temporary folders (on another physical disk for performance reasons) with a 7zip script run via Task Scheduler (every fortnight alternating between servers) with a spanned archive using 499MB span files (35GB total compressed - the cloud provider below does not allow uploads equal or greater than 500MB so this is a workaround)

  3. The 499 MB files get randomly chosen and “drip fed” into my sync vault every 4 hours via Task Scheduler via powershell, due to low upload bandwidth. (If the backup files are all copied at once to the vault (instead of drip fed over a few days to the syncvault they monopolise the sync and so none of the CCTV files are synced - see below).
    Another workaround.

  4. My sync program syncs to cloud over 75kbps ADSL2+ upload link.

In the syncvault there is also another folder containing around 600GB of CCTV files which are being updated constantly, oldest are moved to yet another archive drive and current CCTV files are added.

My Question is:
In a disaster scenario do I need to only pull the 35GB of data from the cloud provider to do a restore of the server backups or would I need to pull all 635GB to rebuild the vault, in order to restore the servers?

Reason being pulling 635GB would take about a week vs 10 hours for 35GB - a week being an unacceptable downtime for my client to restore backups.

The :cn: cloud provider claims to encrypt on disk at their side but is using some old and known to be insecure protocols (SSL2 / TLS 1.0) to a storage provider in Los Angeles :us: so that’s why I need everything secure at my end :koala: :kangaroo: :australia: before it hits the wire. Trusting my data on their :cn: side is 0.

I understood: you store your backup and your CCTV files in one vault. If you want to restore from your backup, you do not want to download the complete vault.
I would recommend to separate your backup and your CCTV files into 2 vaults.
Why? Because if you have a look into your cloud space you’ll notice that you are not able identify wether an encrypted file/folder belongs to a CCTV or a backup file. You only can identify complete vaults.
But besides my recommendation: there is a solution.
You can access your vault only online and then download the backup files only without local sync.
This can be done with cyberduck. How do I use Cryptomator without local sync?

Thanks mate, that was my first thought to use different vaults. It didnt seem like a viable solution with their (ASUS) sync app, I will look further into it and report back if I come across a solution that works. Cloud provider is ASUS web storage, its 1TB free if you buy an ASUS product so I took the free storage and switched over from Google Drive :us: to CCP :cn: drive.

Oh, you are using ASUS Cloud.
I would love to read your experience with them.
As they are often listed in “who is the cheapest” rankings, I assume some of the users of cryptomator consider to use this service.
For me it seems that the do not offer WebDAV support which makes the online vaults inaccessible for cryptomator mobile apps. Maybe you can confirm that in the linked post or correct me?

Michael. They use “ASUSwebsync” application on Windows and also have a web interface via a browser. If you install the app on your ASUS laptop you get the 1TB free storage, which is not obvious from their documentation, which is clearly written by someone with English as a second language.

I took your suggestion and created a dedicated vault for backups and set that as the “backup folder” in ASUS websync app. (there is also a “normal” sync folder you can specify in the app which I pointed to the CCTV vault). Don’t believe there is WebDAV support only FTP. So 1971 :joy:

The upload bandwidth is not great typically around 50-60kbps goes to one of three coresite.com data centers in Los Angeles California USA (uploading from Australia anyway). I did upload tests over both 4G and ADSL2+ via different ISPs and it made no difference to the upload bandwidth. I believe it is being throttled at their end, or maybe its going through the great firewall of China, who knows?

I sniffed the network traffic with Wireshark and I have issues with the security of the ASUSwebsync app as it is still using TLS 1.0 (a 20 year old protocol with known vulnerabilities, particularly BEAST) and in one case was still using SSL2 (which is so insecure that it might as well be plaintext! [https://en.wikipedia.org/wiki/Transport_Layer_Security#SSL_2.0]) They have had issues in the past with their app update server being compromised (Shaddowhammer attack reported by Kaspersky). So my confidence in their data security is not great. The EU privacy laws are so much better than ours. You get what you pay for. Caveat emptor!

Good to see this website is on TLS 1.3 with a half decent crypto, although I would go to AES256 and SHA384. GCM is good. AES128 is close to being broken in the next decade. I dont trust DHE (somewhat) or vanilla RSA anymore, ECDHE is the way to go. Just finished hardening my clients OpenVPN (control channel) VPNs so I’m a versed in this.

With the US, China and Australia and others all spying on our data these days , its good to have you blokes (and women) offering a product like Cryptomator. Going through the source is great. The 1.5.0 release is brilliant. Thanks!

Kolan :koala: on Eucalyptus :herb: now :bulb::joy: Goodnight from Australia brother.